[123027] in North American Network Operators' Group
Re: Future timestamps in /var/log/secure
daemon@ATHENA.MIT.EDU (gordon b slater)
Fri Feb 26 13:52:46 2010
X-IP-MAIL-FROM: gordslater@ieee.org
From: gordon b slater <gordslater@ieee.org>
To: Brielle Bruns <bruns@2mbit.com>
In-Reply-To: <4B8812EE.2020003@2mbit.com>
Date: Fri, 26 Feb 2010 18:50:02 +0000
Cc: nanog@nanog.org
Reply-To: gordslater@ieee.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, 2010-02-26 at 11:29 -0700, Brielle Bruns wrote:
> Isn't the timestamps inserted by syslog rather then the reporting
> program itself?
>
that's my understanding also (clarification: syslogs of your server have
timestamps of your syslegsserver's time, IMHO)
eg: on my Debain systems I don't split the logging to /var/log/secure, I
can usually handle a large log OK, but it's easy enough to get the
authpriv* stuff to log to /v/l/secure if needed. So, my point is,
syslogd.conf tells syslogd where to put them, and it stamps the time for
each entry.
> What syslog do you use - classic (ie: sysklogd) or a modern one like
> rsyslog? It almost looks like the timezone got changed from local to
> GMT or similar, then swapped back (as odd as it may sound).
On a cautionary note, I've seen tz-change shenanigans to mask
unauthorised access before, so might be a good time to have quick poke
around with a tinfoil hat on, just in case. Don't have a heart attack
tough, not yet :)
Gord
--
this .sig space reserved by ITU-T pending clarification of intentions
